Anyone can log into your Mac without your password — here’s how to fix it
Anyone using MacOS High Sierra should be on high alert. A Twitter user revealed a massive security vulnerability which allows anyone to log into your system as an administrator without valid login credentials. All a malicious user has to do is attempt to log in as “root” from the login screen, leave the password field blank, and press enter over and over until the system allows access.
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
The scary news is that it’s true — we tried it on our own MacBooks. That means anyone can approach your iMac, MacBook, or Mac Pro and access your computer without anything more than a couple keystrokes and zero technical know-how. Thankfully, there is a quick and easy fix — all you have to do is change your system’s Root password. If you’ve already changed your system’s Root password, you’re safe. If not, however, changing that password should keep you safe until Apple issues an official patch.
Assuming you’re running MacOS High Sierra, we’ll teach you below how to fix the problem.
First, we’re going to open up System Preferences, select Login Options, then click Join right beside Network Account Server. This will open up a small dialog box, there you will want to click Open Directory Utility.
From here, mouse up to your Finder bar, and click Edit. From this drop-down menu click Change Root Password. This is the most important part: Pick a strong, unique password that you won’t forget.
That’s it, problem solved — for now. Apple has yet to issue an official patch or set of instructions on how to protect yourself, but the above fix should do it. Just make sure you keep an eye on your Mac until this all gets sorted out.
The whole issue came to light after an industrious Twitter user pinged Apple Support’s official Twitter account for help regarding the vulnerability and from there it caught fire and spread. Twitter users from all over the world were confirming that they could replicate the vulnerability, and access their own computers without using anything more than a four-letter word.
This isn’t just a minor vulnerability, like a loophole in some bit of code somewhere that only a security expert could exploit. This is a dead-simple way to break into someone else’s computer, and hopefully, Apple will address the situation officially.
Note: We’ve reached out to Apple about the security issue, and we’ll update this post when we hear back.